Is Android ready for the Enterprise?

With the release of Google's Nexus One handset, the Android platform has had a lot of publicity recently. Offering high levels of user-customisation, social networking integration and a 'desktop-like' mobile browsing experience, the device is very attractive to consumers...but is the operating system ready for the Enterprise?

What is meant by an 'Enterprise-ready' operating system? Ideally the platform should offer the features required by a mobile user as well as conform to the security policy defined by the IT department.

Features

• Wireless access to corporate (Microsoft Exchange or Lotus Domino) email, contacts and calendar information, ideally updated via 'push' with no user-interaction required. All information exchanges between the device and the server should be secure. Access should preferably be available via both cellular and WiFi connections.
• Support for Virtual Private Networking (VPN) infrastructure enabling access to internal corporate applications and network resources
• Optionally, the device may need to be integrated with the corporate IP PBX providing free calls over WiFi when in the office between internal extensions, and landline-to-landline call charges for landline numbers.

Security

Providing remote access to sensitive corporate applications and information inherently comes with security risks: should the device be lost or stolen how do you prevent unauthorised access?

• An enterprise-ready platform should at the very least offer the administrator the ability to remotely wipe a device that has been reported lost or stolen by the user: or even the ability for the user to initiate a wipe themselves via a web browser as soon as they realise the device has been lost.
• It should also be possible to remotely apply a password usage policy to the device, so that users must enter a password on the device to unlock it, and the device should lock itself automatically after a period of inactivity. In the event that a password is incorrectly entered on the device x number of times in succession, the device should be able to wipe itself automatically.
• For ease of setup, enterprise-ready devices can have the necessary configuration settings for Internet access (both cellular and WiFi access points), email and VPN deployed remotely over the air, with little to no user interaction.
• Optionally, the platform should also support the ability to remotely enforce a corporate usage policy, enabling the administrator to remotely disable user access to certain hardware and software elements such as the camera, MMS, Bluetooth, etc. The ability for the user to install applications on the device, other than those expressly approved by the administrator, should also be configurable remotely.

Although it is fashionable to knock Microsoft products, and whilst it is true that the platform does look 'clunky' now compared to Android and the iPhone, it can't be denied that Windows Mobile 6.1 does address most of the above security concerns and device management functionality is included as part of the Exchange 2007 product, enabling the administrator to remotely wipe devices, enforce a password usage policy, enable and disable hardware and software elements as well as create application white- and blacklists.
Nokia's E and N Symbian S60 platform also natively supports the OMA-CP and OMA-DM protocols when used in conjunction with a suitable DM server product.
For more information on the DM functionality of Windows Mobile and Exchange as well as more powerful third-party DM solutions, read this article - http://blog.brightpointuk.co.uk/choosing-device-management-solution-q4-2009

So how does Android stack up?

Features

• Exchange Email - Android 2.1 features native Exchange support, but at the time of writing only the Nexus One features this version of the OS.
  HTC-branded Android devices (the Hero and the Tattoo at the time of writing) both already feature HTC's own fully-featured Exchange client which supports full mailbox synchronisation including subfolders as well as contact-lookup and out of office support - http://blog.brightpointuk.co.uk/setting-microsoft-exchange-synchronisati...

  

  For non HTC-branded devices, third-party solutions are available such as Dataviz's RoadSync application, purchasable via the Android Market.

• VPN support - Android 1.6 (Donut) brought with it support for Virtual Private Networks, including PPTP, L2TP and IPSec protocols as well as certificate authentication - http://blog.brightpointuk.co.uk/adding-vpn-connections-android-16-donut

  

• VoIP - SIPdroid is a free-to-use VoIP client for the Android platform that can be used to interface with any IP PBX that supports the SIP standard - http://blog.brightpointuk.co.uk/sipdroid

  

Security

• Open Source - Android is an open source platform based on the Linux kernel. As such it can be argued that whilst the open source project does mean a wealth of third party applications, it does also provide access to discover and exploit security vulnerabilities in the platform.

  One approach Google has taken when developing the Android platform is known as "application-sandboxing": all applications must state what hardware resources and file locations they require access to, and only those areas will be permitted by the operating system. It is not possible to alter these once installed without at least requiring approval by the user. This approval is requested during the initial installation and can be viewed at any point within the Applications setting menu:

  

  Android does also require that applications be signed before they can be installed, however the platform does not require that the certificate used to sign the application be 'root-trusted', therefore any old certificate can be used, rendering the feature fairly pointless, and the feature can be disabled altogether by the user:

  

• Remote Device Wipe - Although part of the Exchange ActiveSync protocol, it is not currently supported on the HTC Exchange client. This is on the roadmap for HTC Exchange 2.0. A third party solution such as Dataviz RoadSync would be required to enable this functionality. Any device marked for wipe from the Exchange server will not be able to synchronise any new information, but any information held on that device will not be erased.
• Password Usage - It is not possible to enforce use of a password on the Android platform using the Exchange ActiveSync policy without a third party application such as Dataviz RoadSync. Again, this is on the roadmap for HTC Exchange 2.0
  However it is worth noting that Android does support the use of hand gestures as a form of unlocking a device, rather than an alphanumeric password:

  

• Corporate Usage Policy - It is not possible to remotely enable or disable hardware or software elements on the Android platform at the time of writing, neither does the OS support on-device encryption.
  Some Device Management vendors have Android clients on their roadmap, such as Excitor DME (http://www.excitor.com)

Conclusion

Whilst a great consumer device, for enterprises that require granular control over the devices used by their staff as well as the ability to remotely wipe devices that are reported lost or stolen, Android is perhaps still too 'young' to satisfy all requirements.
That is bound to change in the future based on the break-neck pace of development witnessed on the platform to date...so watch this space for more information as it arrives.